ryuk | 23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

Analysis

max time kernel
124s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
10/07/2021, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
Size

121KB
MD5

7364f6222ac58896e8920f32e4d30aac
SHA1

915fd6fb4e20909025f876f3bb453ec52e21b7be
SHA256

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f
SHA512

f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'RCCF8gd'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1248	FwttDbNOOrep.exe
3860	bugYBSsyslan.exe
2404	kfJNlSWZVlan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4740	icacls.exe
4752	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\checkmark.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ui-strings.js	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h2x.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\ui-strings.js	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\ui-strings.js	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview2x.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dc_logo.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\PREVIEW.GIF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\ui-strings.js	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1248	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	79
PID 2288 wrote to memory of 1248	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	79
PID 2288 wrote to memory of 1248	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	79
PID 2288 wrote to memory of 3860	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	80
PID 2288 wrote to memory of 3860	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	80
PID 2288 wrote to memory of 3860	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	80
PID 2288 wrote to memory of 2404	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	81
PID 2288 wrote to memory of 2404	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	81
PID 2288 wrote to memory of 2404	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	81
PID 2288 wrote to memory of 4740	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	82
PID 2288 wrote to memory of 4740	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	82
PID 2288 wrote to memory of 4740	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	82
PID 2288 wrote to memory of 4752	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	83
PID 2288 wrote to memory of 4752	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	83
PID 2288 wrote to memory of 4752	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	83
PID 2288 wrote to memory of 4796	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	86
PID 2288 wrote to memory of 4796	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	86
PID 2288 wrote to memory of 4796	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	86
PID 2288 wrote to memory of 2904	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	89
PID 2288 wrote to memory of 2904	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	89
PID 2288 wrote to memory of 2904	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	89
PID 2288 wrote to memory of 1448	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	88
PID 2288 wrote to memory of 1448	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	88
PID 2288 wrote to memory of 1448	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	88
PID 2288 wrote to memory of 4900	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	92
PID 2288 wrote to memory of 4900	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	92
PID 2288 wrote to memory of 4900	2288	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	92
PID 4796 wrote to memory of 5152	4796	net.exe	96
PID 4796 wrote to memory of 5152	4796	net.exe	96
PID 4796 wrote to memory of 5152	4796	net.exe	96
PID 1448 wrote to memory of 5144	1448	net.exe	95
PID 1448 wrote to memory of 5144	1448	net.exe	95
PID 1448 wrote to memory of 5144	1448	net.exe	95
PID 2904 wrote to memory of 5264	2904	net.exe	97
PID 2904 wrote to memory of 5264	2904	net.exe	97
PID 2904 wrote to memory of 5264	2904	net.exe	97
PID 4900 wrote to memory of 5168	4900	net.exe	94
PID 4900 wrote to memory of 5168	4900	net.exe	94
PID 4900 wrote to memory of 5168	4900	net.exe	94

C:\Users\Admin\AppData\Local\Temp\23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
"C:\Users\Admin\AppData\Local\Temp\23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\FwttDbNOOrep.exe
  "C:\Users\Admin\AppData\Local\Temp\FwttDbNOOrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Users\Admin\AppData\Local\Temp\bugYBSsyslan.exe
  "C:\Users\Admin\AppData\Local\Temp\bugYBSsyslan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Users\Admin\AppData\Local\Temp\kfJNlSWZVlan.exe
  "C:\Users\Admin\AppData\Local\Temp\kfJNlSWZVlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4740
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4752
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5152
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5264
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...